Security Bulletin: CVE-2014-0224: OpenSSL SSL/TLS MITM vulnerability

CVE-2014-0224: OpenSSL SSL/TLS MITM vulnerability

The OpenSSL library included in the GameStream components of GeForce Experience prior to 2.1.1 and SHIELD Hub prior to 3.2.18713345 are subject to the recently disclosed OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224). As a result, an attacker who successfully exploited this vulnerability could potentially steal confidential GameStream session data, including the user password, as well as modify session data.

Exploit Scope and Risk:

To take advantage of this vulnerability, an attacker would need to execute a Man-In-The-Middle (MITM) attack. Such attacks are possible on wireless networks. NVIDIA is not aware of the existence of any actual exploits that leverage this vulnerability in our GameStream client.

NVIDIA has fixed this issue via an NVIDIA GeForce Experience update. To eliminate this vulnerability, we strongly recommend that end users update their systems to NVIDIA GeForce Experience version 2.1.1 or later as follows:

1. Launch the GeForce Experience client from the Start menu

2. Click the Preferences tab and select Updates in the left navigation pane

3. Click Check Now and follow the subsequent instructions

SHIELD Portable or SHIELD Tablet: To eliminate this vulnerability, we strongly recommend that end users update their systems to SHIELD Hub version 3.2.18713345 or later as follows:

If SHIELD Hub is not installed on your SHIELD Portable or SHIELD Tablet:

1. Back to Home and tap All Apps button (circle with six dots) at the center of the Favorites Tray

2. Launch Settings

3. Tap About SHIELD or About tablet

4. Tap System updates and follow the subsequent instructions

If SHIELD Hub is installed on your SHIELD Portable or SHIELD Tablet:

1. Launch Play Store app

2. Tap shopping bag with triangle on the top left

3. Tap My apps

4. Tap NVIDIA SHIELD Hub

5. Tap UPDATE and follow the subsequent instructions

Mitigations:

· Stopping and disabling the Windows NVIDIA GameStream service as follows, while reducing functionality, will eliminate this vulnerability:

1.Right-click Computer and select Manage to bring up the Computer Management console

2. Select Services and Applications and double-click Services to display the list of installed services

3. Right-click the NVIDIA Streamer Serviceto display its properties

4.Click Stop to stop the service, and change the Startup Type pop-up menu to Disabled

5.Click Apply and then OK to save changes, then quit the Computer Management console

This can also be done from a Windows command prompt as follows:

1. Right-click Start->Accessories->Command Prompt and select Run as Administrator.

2. Execute the following commands:

sc stop NvStreamSvc

sc config NvStreamSvc start= disabled

· Avoiding using GameStream on public WiFi networks will reduce the risk of being exploited through this vulnerability.

Was this answer helpful?

Your rating has been submitted, please tell us how we can make this answer more useful.